risk management. security planning: an applied approach | 8/3/2015 | 2 objectives students should be...

Risk Management

Security Planning: An Applied Approach | 04/19/23 | 2

Objectives

Students should be able to:

Define risk management process: risk management, risk assessment, risk analysis, risk appetite, risk treatment, accept residual risk

Define treat risk terms: risk acceptance/risk retention, risk avoidance, risk mitigation/risk reduction, risk transference

Describe threat types: natural, unintentional, intentional, intentional (non-physical)

Define threat agent types: hacker/crackers, criminals, terrorists, industry spies, insiders

Describe risk analysis strategies: qualitative, quantitative

Define vulnerability, SLE, ARO, ALE, due diligence, due care


How Much to Invest in Security?

How much is too much?

Firewall

Intrusion Detection/Prevention

Guard

Biometrics

Virtual Private Network

Encrypted Data & Transmission

Card Readers

Policies & Procedures

Audit & Control Testing

Antivirus / Spyware

Wireless Security

How much is too little?Hacker attackInternal FraudLoss of ConfidentialityStolen dataLoss of Reputation Loss of BusinessPenaltiesLegal liabilityTheft & Misappropriation

Security is a Balancing Act between Security Costs & Losses


Risk Management

Internal Factors External Factors

Regulation

Indu

stryCulture

Corporate HistoryManagement’s

Risk Tolerance

Organizational

Maturity

Structure

Risk Mgmt Strategies are determined by both internal & external factorsRisk Tolerance or Appetite: The level of risk that management is comfortable with


Risk Appetite

Do you operate your computer with or without antivirus software?Do you have antispyware?Do you open emails with forwarded attachments from friends or follow questionable web links?Have you ever given your bank account information to a foreign emailer to make $$$?

What is your risk appetite?If liberal, is it due to risk acceptance or ignorance?

Companies too have risk appetites, decided after evaluating risk


Risk Management Process


Continuous Risk Mgmt Process

Identify &Assess Risks

Develop RiskMgmt Plan

Implement RiskMgmt Plan

ProactiveMonitoring

RiskAppetite

Risks change with time as business & environment changesControls degrade over time and are subject to failureCountermeasures may open new risks


Security Evaluation: Risk AssessmentFive Steps include:1.Assign Values to Assets:

Where are the Crown Jewels?

2.Determine Loss due to Threats & VulnerabilitiesConfidentiality, Integrity, Availability

3.Estimate Likelihood of ExploitationWeekly, monthly, 1 year, 10 years?

4.Compute Expected LossLoss = Downtime + Recovery + Liability + ReplacementRisk Exposure = ProbabilityOfVulnerability * $Loss

5.Treat RiskReduce, Transfer, Avoid or Accept RiskRisk Leverage = (Risk exposure before reduction) – (risk exposure after

reduction) / (cost of risk reduction)


Step 1: Determine Value of AssetsIdentify & Determine Value of Assets (Crown Jewels):Assets include:IT-Related: Information/data, hardware, software, services, documents, personnelOther: Buildings, inventory, cash, reputation, sales opportunities

What is the value of this asset to the company?How much of our income can we attribute to this asset?How much would it cost to recover this?How much liability would we be subject to if the asset were compromised? Helpful websites: www.attrition.org


Determine Cost of Assets

Sales

Product A

Product B

Product C

Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=



Tangible $ Intangible: High/Med/Low

Costs


Matrix of Loss Scenario(taken from CISM Exhibit 2.16)

Size of Loss

Repu-tation

Law-suit Loss

Fines/

Reg. Loss

Mar-ket Loss

Exp.

Yearly Loss

Hacker steals customer data; publicly blackmails company

1-10K Records

$1M-

$20M

$1M-

$10M

$1M-

$35M

$1M-

$5M

$10M

Employee steals strategic plan; sells data to competitor

3-year Min. Min. Min. $20M $2M

Backup tapes and Cust. data found in garbage; makes front-page news

10M Records

$20M $20M $10M $5M $200K

Contractor steals employee data; sells data to hackers

10K Records

$5M $10M Min. Min. $200K


Step 1: Determine Value of Assets

Asset Name

$ ValueDirect Loss: Replacement

$ ValueConsequential

Financial Loss

Confidentiality, Integrity, and Availability Notes

Registration Server

$10,000 Breach Not. Law=$520,000Registration loss per day =$16,000Forensic help = $100,000

Affects: Confidentiality, Availability.Conf=> Breach Notification Law=>Possible FERPA Violation=>Forensic HelpAvailability=> Loss of Registrations

Grades Server

$10,000 Lawsuit = $1 millionFERPA = $1 millionForensic help = $100,000

Affects: Confidentiality, Integrity.Integrity => Student Lawsuit Confidentiality => FERPA violationBoth => Forensic help

Student(s) and/or Instructor(s)

$2,000 per student (tuition)$8,000 per instructor (for replacement)

Lawsuit= $1 MillionInvestigation costs= $100,000Reputation= $400,000

(E.g.,) School Shooting: Availability (of persons lives)Issues may arise if we should have removed a potentially harmful student, or did not act fast.

Workbook


Statistics from Ponemon Data Breach Study 2014

sponsored by IBM

Category Breach Type Avg. cost per

compromised recordData breach cost – total

Malicious or criminal attack (44% of breaches)

$246

Employee error (31% of breaches) $171System glitch (25% of breaches) $160Average $201

Data breach cost – components

Indirect costs: Internal employee time and abnormal churn of customers

$134

External expenses: forensic expertise, legal advice, victim identity protection services

$67


More 2014 Ponemon Statistics

Prob of Breach Cost per record Churn rate

Communications 15.6% 219 1.2Consumer 19.9% 196 2.6Education 21.1% 254 2.0Energy 7.5% 237 4.0Financial 17.1% 236 7.1Health care 19.2% 316 5.3Hospitality 19.5% 93 2.9Industry 9.0% 204 3.6Media 19.7% 183 1.9Pharmaceutical 16.9% 209 3.8Public sector 23.8% 172 0.1Research 11.5% 73 0.7Retail 22.7% 125 1.4Services 19.8% 223 4.2Technology 18.9% 181 6.3Transportation 13.5% 286 5.5


Consequential Financial Loss Calculations

Consequential Financial

Loss

Total Loss Calculations or Notes

Lost business for one day (1D)

1D=$16,000

Registration = $0-500,000 per day in income (avg. $16,000)

Breach not. law $752,000 Breach Not. Law Mailings=$188 x 4000 Students =$752,000

Lawsuit $1 Million Student lawsuit may result as a liability.

Forensic Help $100,000 Professional forensic/security help will be necessary to investigate extent of attack and rid system of hacker

FERPA $1 Million Violation of FERPA regulation can lead to loss of government aid, assumes negligence.


Step 2: Determine Loss Due to Threats

Physical Threats

Natural: Flood, fire, cyclones, hail/snow, plagues and earthquakes

Unintentional: Fire, water, building damage/collapse, loss of utility services and equipment failure

Intentional: Fire, water, theft and vandalism

Human Threats

Ethical/Criminal: Fraud, espionage, hacking, social engineering, identity theft, malware, vandalism, denial of service

External Environmental: industry competition, contract failure, or changes in market, politics, regulation or tech.

Internal: management error, IT complexity, organization immaturity, accidental data loss, mistakes, software defects, incompetence and poor risk evaluation


Threat Agent Types

Hackers/ Crackers

Challenge, rebellion Unauthorized access

Criminals Financial gain, Disclosure/ destruction of info.

Fraud, computer crimes

Terrorists/ Hostile Intel. Service

Spying/ destruction/ revenge/ extortion

DOS, info warfare

Industry Spies Competitive advantage

Info theft, econ. exploitation

Insiders Opportunity, personal issues

Fraud/ theft, malware, abuse


Step 2: Determine Threats Due to Vulnerabilities

System Vulnerabilities

Behavioral:Disgruntled employee,

uncontrolled processes,poor network design,improperly configured

equipment

Misinterpretation:Poorly-defined

procedures,employee error,Insufficient staff,

Inadequate mgmt,Inadequate compliance

enforcement

Coding Problems:

Security ignorance,poorly-defined requirements,

defective software,unprotected

communication

Physical Vulnerabilities:

Fire, flood,negligence, theft,kicked terminals,no redundancy


Step 3: Estimate Likelihood of ExploitationBest sources:Past experienceNational & international standards & guidelines: NIPC, OIG, FedCIRC, mass mediaSpecialists and expert adviceEconomic, engineering, or other modelsMarket research & analysisExperiments & prototypesIf no good numbers emerge, estimates can be used, if management is notified of guesswork


Category Specific Threats Small-Medium Org.

Large Businesses

Who: Internal Incidents (14%)

Cashier, waiter, bank teller (financial) 60% 14%End user (mix: finance and espionage) 13% 24%System admin (mainly espionage) 4% 31%

Who: External Incidents (92%)

Organized crime (financial) 57% 49%State-affiliated (espionage) 20% 24%Activist, Former Employee <3% <2%

Malware (40%) Spyware (keystroke loggers, form grabbers) 86% 55%Backdoor (secret computer access) 51% 82%

Stealing data (mainly for spying) 54% 73%Hacking (52%) Password copying or guessing 88% 74%

Remote control (botnet, backdoor) 36% 62%

Social (29%) Phishing (email 79%, in person 13%) 71% 82%Misuse (13%) Privilege Abuse 43% 87%

Unapproved hardware 52% 22%Embezzlement 54% 4%

Physical (35%) Tampering (ATM, PoS device) 74% 95%Error (2%) Misconfigurations (violations of policy) Not avail. Not avail.Error (67%)(VERIS Study)

Media confidentiality (loss of media) (29%), user confidentiality (20%), user availability (18%)

Not avail. Not avail.


Step 4: Compute Expected Loss Risk Analysis Strategies

Qualitative: Prioritizes risks so that highest risks can be addressed firstBased on judgment, intuition, and experienceMay factor in reputation, goodwill, nontangiblesQuantitative: Measures approximate cost of impact in financial termsSemiquantitative: Combination of Qualitative & Quantitative techniques


Step 4: Compute Loss UsingQualitative AnalysisQualitative Analysis is used:•As a preliminary look at risk•With non-tangibles, such as reputation, image -> market share, share value•When there is insufficient information to perform a more quantified analysis


Vulnerability Assessment Quadrant Map

Threat(Probability)

Vulnerability(Severity)

Hacker/CriminalMalware

Disgruntled Employee

Fire

Terrorist

FloodSpy

Snow emergencyIntruder

Workbook


Step 4: Compute Loss UsingSemi-Quantitative Analysis

Impact1. Insignificant: No meaningful

impact2. Minor: Impacts a small part

of the business, < $1M3. Major: Impacts company

brand, >$1M4. Material: Requires external

reporting, >$200M5. Catastrophic: Failure or

downsizing of company

Likelihood1. Rare2. Unlikely: Not seen within

the last 5 years3. Moderate: Occurred in last 5

years, but not in last year4. Likely: Occurred in last year5. Frequent: Occurs on a

regular basis

Risk = Impact * Likelihood


SemiQuantitative Impact Matrix

Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)

Catastrophic (5)

Material(4)

Major(3)

Minor(2)

Insignificant(1)

SEVERE

HIGHM

EDIUM

LOW

Likelihood

Imp

act


Step 4: Compute Loss Using Quantitative AnalysisSingle Loss Expectancy (SLE): The cost to the organization if one threat occurs onceEg. Stolen laptop=

Replacement cost + Cost of installation of special software and data Assumes no liability

SLE = Asset Value (AV) x Exposure Factor (EF)With Stolen Laptop EF > 1.0

Annualized Rate of Occurrence (ARO): Probability or frequency of the threat occurring in one yearIf a fire occurs once every 25 years, ARO=1/25

Annual Loss Expectancy (ALE): The annual expected financial loss to an asset, resulting from a specific threatALE = SLE x ARO


Risk Assessment Using Quantitative AnalysisQuantitative:

Cost of HIPAA accident with insufficient protections

SLE = $50K + (1 year in jail:) $100K = $150K

Plus loss of reputation…

Estimate of Time = 10 years or less = 0.1

Annualized Loss Expectancy (ALE)= $150K x .1 =$15K


Annualized Loss Expectancy

Asset Value->

$1K $10K $100K $1M

1 Yr 1K 10K 100K 1000K

5 Yrs 200 2K 20K 200K

10 Yrs 100 1K 10K 100K

20 Yrs 50 1K 5K 50K

Asset Costs $10K Risk of Loss 20% per Year

Over 5 years, average loss = $10K

Spend up to $2K each year to prevent loss


QuantitativeRisk

Asset Threat Single LossExpectancy (SLE)

AnnualizedRate of

Occurrence(ARO)

Annual LossExpectancy

(ALE)

Registra-tion Server

System or Disk Failure

System failure: $10,000Registration x 2 days: $32,000

0.2(5 years)

$8,400

Registra-tion Server

Hacker penetration

Breach Not. Law: $752,000Forensic help: $100,000Registration x 2days: $32,000

0.20(5 years)

$884,000x.2 =$176,800

Grades Server

Hacker penetration

Lawsuit: $1 millionFERPA: $1 millionForensic help: $100,000Loss of Reputation = $10,000

0.05(20 years)

$2110,000x0.05=$105,500

Workbook


Step 5: Treat Risk

Risk Acceptance: Handle attack when necessaryE.g.: Comet hitsIgnore risk if risk exposure is negligibleRisk Avoidance: Stop doing risky behaviorE.g.: Do not use Social Security NumbersRisk Mitigation: Implement control to minimize vulnerabilityE.g. Purchase & configure a firewallRisk Transference: Pay someone to assume risk for youE.g., Buy malpractice insurance (doctor)While financial impact can be transferred, legal responsibility cannotRisk Planning: Implement a set of controls


System Characterization

Identify Threats

Identify Vulnerabilities

Analyze Controls

Determine Likelihood

Analyze Impact

Determine Risk

Recommend Controls

Document Results Risk AssessmentReport

Recommended Controls

Documented Risks

Impact Rating

Likelihood Rating

List of current &planned controls

List of threats& vulnerabilities

System boundarySystem functions

System/data criticalitySystem/data sensitivity

Activity Output

Company historyIntelligence agency

data: NIPC, OIG

Audit &test results

Business ImpactAnalysis

Data Criticality & Sensitivity analysis

Input

NIST RiskAssessmentMethodology

Hardware, software

Current and PlannedControls

Threat motivation/capacity

Likelihood of threat exploitation

Magnitude of impactPlan for risk


Control Types

ThreatCompensating

Control

Impact

Vulnerability

CorrectiveControl

DeterrentControl

DetectiveControl

PreventiveControl

Attack

Reduceslikelihood of

Decreases

Resultsin

Reduces

Protects

Creates

Reduceslikelihood of

Triggers

Discovers


Controls & Countermeasures

Cost of control should never exceed the expected loss assuming no control

Countermeasure = Targeted Control

• Aimed at a specific threat or vulnerability

• Problem: Firewall cannot process packets fast enough due to IP packet attacks

• Solution: Add border router to eliminate invalid accesses


Analysis of Risk vs. ControlsWorkbook

Risk ALE Score ControlCost ofControl

Stolen Faculty Laptop

$2K$10,000 (FERPA)

Encryption $60

Registration System orDisk Failure

$8,400 RAID(Redundant

disks)

$750

Registration HackerPenetration

$176,800 Unified Threat Mgmt

Firewall

$1K

Cost of Some Controls is shown in Case Study Appendix


Extra Step:Step 6: Risk Monitoring

Stolen Laptop In investigation $2k, legal issues

HIPAA Incident Response

Procedure being defined – incident response

$200K

Cost overruns Internal audit investigation $400K

HIPAA: Physical security

Training occurred $200K

Report to Mgmt status of security•Metrics showing current performance•Outstanding issues•Newly arising issues•How handled – when resolution is expected

Security Dashboard, Heat chart or Stoplight Chart


Training Training shall cover:Importance of following policies & proceduresClean desk policyIncident or emergency responseAuthentication & access control Privacy and confidentiality Recognizing and reporting security incidentsRecognizing and dealing with social engineering


Security Control Baselines & Metrics

Baseline: A measurement of performanceMetrics are regularly and consistently measured, quantifiable, inexpensively collectedLeads to subsequent performance evaluation E.g. How many viruses is help desk reporting? 0

10

20

30

40

50

60

70

80

90

Year 1 Year 2 Year 3 Year 4

Stolen Laptop

Virus/Worm

% Misuse

(Company data - Not real)


Risk Management

Risk Management is aligned with business strategy & direction

Risk mgmt must be a joint effort between all key business units & IS

Business-Driven (not Technology-Driven)

Steering Committee:• Sets risk management priorities• Define Risk management objectives to achieve business strategy


Risk Management Roles

Governance & Sr Mgmt:Allocate resources, assess& use risk assessment results

Chief Info OfficerIT planning, budget,performance incl. risk

Info. Security Mgr Develops, collaborates, and manages IS risk mgmt process

Security TrainersDevelop appropriate training materials, includingrisk assessment, to educate end users.

Business Managers(Process Owners)Make difficult decisionsrelating to priority toachieve business goals

System / Info OwnersResponsible to ensurecontrols in place toaddress CIA.Sign off on changes

IT Security PractitionersImplement security requirem.into IT systems: network,system, DB, app, admin.


Due Diligence

Due Diligence = Did careful risk assessment (RA)Due Care = Implemented recommended controls from RA

Liability minimized if reasonable precautions taken

Senior Mgmt SupportRisk

Assessm

ent

Backup & Recovery

Policies & Procedures

Adequate Security Controls

Compliance

Monitoring

& Metrics Business Continuity &

Disaster Recovery


3 Ethical Risk Cases

1. On eve of doomed Challenger space shuttle launch, an executive told another: “Take off your engineering hat and put on your management hat.”

2. In Bhopal, India, a chemical leak killed approx. 3000 people, settlement was < 1/2 Exxon Valdez oil spill’s settlement. Human life = projected income (low in developing nations)

3. The Three Mile Island nuclear disaster was a ‘success’ because no lives were lostPublic acceptance of nuclear technologies eroded due to the environmental

problems and the proven threat It is easy to underestimate the cost of others’ lives, when your

life is not impacted.


Question

Risk Assessment includes:1. The steps: risk analysis, risk treatment, risk

acceptance, and risk monitoring2. Answers the question: What risks are we prone to,

and what is the financial costs of these risks?3. Assesses controls after implementation4. The identification, financial analysis, and

prioritization of risks, and evaluation of controls


Question

Risk Management includes:1. The steps: risk analysis, risk treatment, risk

acceptance, and risk monitoring2. Answers the question: What risks are we prone to,

and what is the financial costs of these risks?3. Assesses controls after implementation4. The identification, financial analysis, and

prioritization of risks, and evaluation of controls


Question

The FIRST step in Security Risk Assessment is:1. Determine threats and vulnerabilities2. Determine values of key assets3. Estimate likelihood of exploitation4. Analyze existing controls


Question

Single Loss Expectancy refers to:1. The probability that an attack will occur in one year2. The duration of time where a loss is expected to

occur (e.g., one month, one year, one decade)3. The cost when the risk occurs to the asset once4. The average cost of loss of this asset per year


Question

The role(s) responsible for deciding whether risks should be accepted, transferred, or mitigated is:

1. The Chief Information Officer2. The Chief Risk Officer3. The Chief Information Security Officer4. Enterprise governance and senior business

management


Question

Which of these risks is best measured using a qualitative process?

1. Temporary power outage in an office building 2. Loss of consumer confidence due to a

malfunctioning website3. Theft of an employee’s laptop while traveling 4. Disruption of supply deliveries due to flooding


Question

The risk that is assumed after implementing controls is known as:

1. Accepted Risk2. Annualized Loss Expectancy3. Quantitative risk4. Residual risk


Question

The primary purpose of risk management is to:1. Eliminate all risk2. Find the most cost-effective controls3. Reduce risk to an acceptable level4. Determine budget for residual risk


Question

Due Diligence ensures that1. An organization has exercised the best possible security

practices according to best practices2. An organization has exercised acceptably reasonable security

practices addressing all major security areas3. An organization has implemented risk management and

established the necessary controls4. An organization has allocated a Chief Information Security

Officer who is responsible for securing the organization’s information assets


Question

ALE is:1. The average cost of loss of this asset, for a single

incident2. An estimate using quantitative risk management of

the frequency of asset loss due to a threat3. An estimate using qualitative risk management of

the priority of the vulnerability4. ALE = SLE x ARO

HEALTH FIRST CASE STUDY

Analyzing Risk

Jamie Ramon MDDoctor

Chris Ramon RDDietician

TerryLicensed

Practicing Nurse

PatSoftware Consultant


Step 1: Define Assets



Consider Consequential Financial Loss

Asset Name $ Value

Direct Loss:

Replacement

$ Value

Consequential Financial Loss


Medical DB C? I? A?

Daily Operation (DO)

Medical Malpractice (M)

HIPAA Liability (H)

Notification Law Liability (NL)



Consider Consequential Financial Loss

Asset Name $ Value

Direct Loss:

Replacement

$ Value

Consequential Financial Loss


Medical DB DO+M_H+NL C I A

Daily Operation (DO) $

Medical Malpractice (M) $

HIPAA Liability (H) $

Notification Law Liability (NL)

$


HIPAA Criminal Penalties

$ Penalty Imprison-ment

Offense

Up to $50K Up to one year

Wrongful disclosure of individually identifiable health information

Up to $100K

Up to 5 years

…committed under false pretenses

Up to $500K

Up to 10 years

… with intent to sell, achieve personal gain, or cause malicious harm

Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …


HITECH Act (2009)

Each Violation

Max $ Per Year

CE/BA exercised reasonable diligence but did not learn about violation

$100-$50k $1.5 Million

Violation is due to reasonable cause $1k-$50k

$1.5 Million

CE/BA demonstrated willful neglect but corrected violation

$10k-$50k $1.5 Million

CE/BA demonstrated willful neglect and took no corrective action

$50k $1.5 Million

Penalties are prohibited if problem is corrected within 30 days and no willful neglectPenalties pay for enforcement and redress for harm caused


Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of ExploitationNormal threats: Threats common to all organizations

Inherent threats: Threats particular to your specific industry

Known vulnerabilities: Previous audit reports indicate deficiencies.


Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation

Slow Down Business Temp. Shut Down Business Threaten Business

222

333

111

444

1 week

1 year

10 years (.1)

5 years (.2)

Vulnerability (Severity)

20 years (.05)

50 years (.02)

Threat (Probability)

Snow Emergency

Hacker/Criminal

Loss of Electricity

Malware

Failed Disk

Stolen Laptop

Stolen Backup Tape(s)

Social Engineering

Intruder

Fire

Flood

Earthquake

Pandemic

Tornado/Wind Storm


Step 4: Compute Expected LossStep 5: Treat Risk

Step 4: Compute E(Loss)ALE = SLE * ARO

Asset Threat Single Loss

Expectancy

(SLE)

Annualized Rate

of Occurre

nce

(ARO)

Annual Loss

Expectancy

(ALE)

Step 5: Treat RiskRisk Acceptance: Handle attack when necessary

Risk Avoidance: Stop doing risky behavior

Risk Mitigation: Implement control to minimize vulnerability

Risk Transference: Pay someone to assume risk for you

Risk Planning: Implement a set of controls

risk management. security planning: an applied approach | 8/3/2015 | 2 objectives students should be...

Documents

risk risk leverage

risk slide

risk assessment

risk avoidance

risk transference

residual risk

risk treatment

level of risk